Summary Under the proposed Cloud and AI Development Act (CADA), the risk assessment (Article 29) is a mandatory, binding obligation for Member States and Union entities to determine the required Union assurance level for public sector activities, directly dictating procurement rules. In contrast, the impact assessment (Article 31) is currently a voluntary tool for private sector entities in critical sectors to evaluate similar dependencies. While both share a similar purpose and methodology to mitigate risks to operational continuity and data sovereignty, only the public sector assessment carries immediate legal consequences for procurement. However, the Commission retains the power to make impact assessments mandatory for high-criticality private entities via delegated acts under Article 31(3).
Detail
The Cloud and AI Development Act (CADA), as proposed in COM(2026) 502 final, establishes a dual-track framework for assessing cloud and AI dependencies. This framework sharply distinguishes between the public sector, where sovereignty is a matter of public order, and the private sector, where the approach is initially permissive but subject to future escalation. Understanding the divergence between the mandatory risk assessment under Article 29 and the voluntary impact assessment under Article 31 is critical for compliance planning, as the obligations, deadlines, and legal consequences differ significantly.
The Mandatory Public Sector Risk Assessment (Article 29)
Article 29 establishes a binding obligation for Member States and Union entities to conduct risk assessments. This is not a discretionary exercise; it is a core compliance requirement designed to map public sector activities against the CADA's four-tier Union assurance levels (UALs).
Who must act: Member States and Union entities (institutions, bodies, offices, and agencies).
The Obligation: By the date of entry into force plus one year, and thereafter every two years (or whenever necessary), these entities must carry out risk assessments that:
- Identify public sector activities using cloud computing services that contribute to the preservation of public order. This includes sectors falling under Annex I or II of the NIS2 Directive, as well as national security, internal security, external border management, defence, justice, and law enforcement.
- Determine which Union assurance level (2, 3, or 4) is appropriate for these activities.
Methodology: The assessment must consider the sensitivity, criticality, and magnitude of data processed, including the risk of unlawful access by third countries and the risk of service disruption. The Commission will issue implementing acts specifying the methodology, templates, and elements to be taken into account. Crucially, if a risk assessment requires migration to a different cloud service, the entity must migrate within a reasonable transition period not exceeding 12 months.
Consequences: The outcome of the Article 29 risk assessment directly dictates procurement rules under Article 30. If an activity is identified as contributing to public order preservation, the contracting authority must only procure cloud computing services recognized as offering Union assurance levels 2, 3, or 4. Failure to align procurement with the risk assessment result constitutes a breach of the Regulation.
The Voluntary Private Sector Impact Assessment (Article 31)
Article 31 creates a parallel but distinct mechanism for the private sector. It is designed to encourage entities in critical infrastructure sectors to adopt similar risk-aware practices without imposing the same immediate statutory burden.
Who may act: Entities referred to in Annex I of the NIS2 Directive (essential and important entities) that are not public sector bodies.
The Obligation: Currently, this is permissive, not mandatory. Article 31(1) states that these entities "may carry out similar assessments as those set out in Article 29." This means private companies can voluntarily evaluate their cloud dependencies using a methodology akin to the public sector risk assessment to identify vulnerabilities and plan mitigation strategies.
Methodology: The Commission may issue guidance on the methodology for carrying out these impact assessments and on possible mitigation measures. This guidance aims to standardize the approach across the private sector, ensuring that voluntary assessments are robust and comparable.
The Escalation Clause (Article 31(3)): While currently voluntary, Article 31 contains a significant escalation mechanism. The Commission is empowered to adopt delegated acts to supplement the Regulation if it concludes, based on specific circumstances and in consultation with Member States, that entities in sectors of high criticality require an impact assessment. If such a delegated act is adopted, the impact assessment becomes mandatory for those specific entities, along with specified risk mitigation measures. This creates a "soft law" pathway that can harden into binding law without amending the primary legislation.
Key Differences at a Glance
| Feature | Article 29 Risk Assessment | Article 31 Impact Assessment |
|---|---|---|
| Target Audience | Member States & Union Entities | Private entities in NIS2 Annex I sectors |
| Status | Mandatory | Voluntary (unless escalated by Commission) |
| Frequency | Every 2 years or as necessary | Not specified (guided by Commission) |
| Primary Output | Determines mandatory procurement assurance level | Identifies vulnerabilities & mitigation steps |
| Legal Consequence | Binding procurement restrictions (Art 30) | No direct procurement ban; potential future mandate |
What this means for you
For in-house counsel and compliance officers, the distinction between these two assessments dictates your immediate action plan and long-term risk strategy.
For Public Sector Bodies: You are subject to Article 29. You must initiate your risk assessment process immediately, as the deadline is one year after the Regulation's entry into force. You cannot procure cloud services for activities related to public order without first determining the appropriate assurance level. Ensure your procurement teams are aligned with the results of the risk assessment, as Article 30 mandates that services for these activities must meet Union assurance levels 2, 3, or 4. Note that you must consider multi-vendor or multi-cloud strategies as part of this assessment to enhance resilience.
For Private Sector Entities (NIS2 Annex I): You are currently subject to Article 31 on a voluntary basis. However, you should treat this as a de facto mandatory preparation exercise. The Commission is empowered to issue guidance on the methodology, and it retains the power to make these assessments mandatory via delegated acts if it deems certain sectors too critical to remain unassessed. Proactively conducting an impact assessment using the Article 29 methodology demonstrates due diligence, helps identify exposure to third-country control, and positions you to comply swiftly if the Commission exercises its escalation power under Article 31(3).
Penalties and Enforcement: While Article 24 sets out penalties for infringements by cloud computing service providers, the obligations under Articles 29 and 31 fall on the buyers (public and private entities). For public authorities, non-compliance with the risk assessment and subsequent procurement rules could lead to challenges regarding the legality of public contracts and potential infringement procedures by the Commission. For private entities, while there are no direct fines specified for failing to conduct a voluntary impact assessment, failure to mitigate identified risks could exacerbate liabilities under other frameworks like NIS2 or DORA, especially if the Commission later mandates the assessment.
Common misconceptions
Misconception 1: "Article 31 is just a softer version of Article 29 with no teeth." While currently voluntary, Article 31 is not toothless. The Commission's power to adopt delegated acts under Article 31(3) means that the voluntary nature is conditional. If the Commission determines that specific high-criticality sectors pose a systemic risk, it can render the impact assessment mandatory. Ignoring this provision leaves organizations exposed to sudden regulatory shifts.
Misconception 2: "Private companies must use the exact same template as the public sector." Article 31 states that private entities may carry out "similar assessments." It does not mandate identical templates. The Commission will issue guidance on the methodology, but private entities have flexibility in how they structure their impact assessments, provided they address the core risks of third-country access and service disruption.
Misconception 3: "The risk assessment only applies to national security sectors." Article 29 explicitly extends beyond national security to include sectors falling under Annex I or II of the NIS2 Directive, as well as justice and law enforcement. This is a broad scope that encompasses energy, transport, banking, and digital infrastructure, meaning many public sector IT departments will be affected.
Related
- CADA Risk Assessment vs. Sovereignty Tiers: How Article 29 Links to the Four Levels
- CADA Article 29: Purpose, Risk Assessment & Public Order
- CADA Article 29 vs Article 30: Risk Assessment vs Procurement Rules
- CADA Risk Assessment: A Step-by-Step Guide to Article 29
- What is a CADA risk assessment under Article 29?
This is general information about a draft EU regulation, not legal advice.